Keycloak:用户基于角色的客户端登录访问限制 [英] Keycloak: Role based client log-in access restriction for users
问题描述
我正在尝试使用 keycloak 实现基于角色的客户端应用程序(VueJS 多页应用程序)控制的相当简单的用例.
I am trying to achieve fairly simple usecase of role based client application (VueJS multi-page applications) control using the keycloak.
如图所示,我在单个领域中有三个不同的角色和三个不同的客户端.
图中的箭头代表哪个角色可以访问哪个客户端.
As shown in image, I have three different roles and three different clients in single realm.
The arrow in the image represents which role can access which client.
所以我的主要目标是,
- 具有角色
Viewer
的用户应该只能登录到Viewer Application
.如果同一用户尝试访问Operator Application
或Admin application
,则 keycloak 应拒绝该用户这样做. - 对于具有
Admin
和Operator
角色的用户,应遵循相同的规则.Admin
角色的用户应该能够通过 keycloak登录任何这些应用程序.
- User with role
Viewer
should only be able to log-in to theViewer Application
. If the same user tries to access theOperator Application
orAdmin application
then keycloak should simply deny this user from doing so. - The same rules should follow for users with
Admin
andOperator
role. Users ofAdmin
role should be able to log-in to any of these application by keycloak.
为了实现这个用例,我尝试了以下方法,
To achieve this usecase I tried following ways,
- 首先通过适当的角色映射到用户和在客户端创建角色.在本例中,我先创建领域级别角色,然后创建客户端级别角色,然后将适当的角色分配给在用户部分创建的用户.
- 启用
授权
.在策略中,我删除了授予所有用户访问客户端的默认策略.并创建User
策略和Client
策略来限制对客户端应用程序的访问 - 还尝试使用基于
Group
的授权策略.在这种情况下,我创建了一个具有客户端角色的组,然后将用户分配到这些组.并通过Authorization
组策略启用它们.
- First by appropriate role mapping to users and role creation in the clients. In this case, I create realm level roles and then client level roles, then assigned appropriate roles to the users created in the user section.
- Enabling the
Authorization
. In the policies, I removed default policy that grant all users access to the client. And create aUser
policy andClient
policy to restrict the access to client application - Also tried with
Group
based authorization policy. In this case, I created a group with client role and then assigned user to these groups. And enabled them from theAuthorization
group policy.
但是,不幸的是,这些都不起作用.这意味着我的具有 Viewer
角色的用户可以登录到我的管理应用程序.这很奇怪.
But, unfortunately none of this works. Meaning my user with Viewer
role can log-in to my admin application. Which is just strange.
推荐答案
我使用 KeyCloak 扩展 SPI 解决了几乎相同的问题.部署后,您将拥有额外的可配置执行"功能.在可用的身份验证流程中,名为验证用户角色".
I managed almost the same problem using KeyCloak extension SPI. After the deployment you will have additional configurable "execution" in authentication flows available, named "Validate User Role".
身份验证流程如下所示:
The auth flow then look's like :
此执行必须放在用户名密码表单"之后.(或其他对用户进行身份验证的表单)否则身份验证将失败.
This execution must be placed after the "Username Password Form" (or other form which authenticates user) or the authentication will fail.
源代码在这里:https://github.com/ValentinChirikov/kc_user_role_validate_extension
这篇关于Keycloak:用户基于角色的客户端登录访问限制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!